Beta - Storage Account With Cross Tenant Replication Enabled

• Query id: 50e0a9e3-7360-483c-9873-ba1ea1a7faf8
• Query name: Beta - Storage Account With Cross Tenant Replication Enabled
• Platform: Terraform
• Severity: Medium
• Category: Access Control
• CWE: 281
• Risk score: 3.0
• URL: Github

Description

No resource of type 'azurerm_storage_account' should set 'cross_tenant_replication_enabled' to true, this increases risk of unauthorized data access
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "azurerm_storage_account" "positive1" {
  name                     = "positive1"
  resource_group_name      = azurerm_resource_group.positive1.name
  location                 = azurerm_resource_group.positive1.location
  account_tier             = "Standard"
  account_replication_type = "GRS"

  cross_tenant_replication_enabled = true
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "azurerm_storage_account" "negative1" {
  name                     = "negative1"
  resource_group_name      = "testRG"
  location                 = "northeurope"
  account_tier             = "Premium"
  account_replication_type = "LRS"
  account_kind             = "FileStorage"

  # missing "cross_tenant_replication_enabled" - defaults to false
}

resource "azurerm_storage_account" "negative2" {
  name                     = "negative2"
  resource_group_name      = "testRG"
  location                 = "northeurope"
  account_tier             = "Premium"
  account_replication_type = "LRS"
  account_kind             = "FileStorage"

  cross_tenant_replication_enabled = false
}